For years, cybersecurity experts, intelligence officials and lawmakers have warned about the high-stakes threat of a ransomware attack on U.S. critical infrastructure.
But it wasn’t until this month’s ransomware attack against Colonial Pipeline Co. that the real-world impact became tangible. The cyberattack by the DarkSide ransomware gang forced the Georgia-based company to shut down its entire 5,500-mile pipeline system, which supplies nearly half the fuel used along the U.S. East Coast. The hack exposed vulnerabilities in U.S. defenses and has already been dubbed a wake-up call for the Biden administration.
"If there was any remaining question as to whether cybercrime and ransomware in particular was a national security threat, I think that question resolved itself over the last week," said Chris Krebs, former director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, on CBS’s "Face the Nation" yesterday.
Hackers did not appear to breach the operational technology that controls Colonial’s pipeline system. But for almost a week, the consequences were the same, as Colonial officials said they took the pipeline system offline to stop the spread of the attack. Lines grew at gas stations even as administration officials pleaded with the public not to panic, causing fuel shortages across parts of the Southeast.
The crisis also threw a spotlight on the oversight capabilities of the Transportation Security Administration, the agency tasked with protecting roughly 2.7 million miles of U.S. pipeline networks. Lawmakers and energy regulators renewed calls for mandatory cybersecurity standards to replace the current system of voluntary guidelines.
On Thursday, Colonial said it had restarted its pipeline system, but now the pressure is on for the Biden administration and Congress to execute a viable plan to protect critical infrastructure from the growing number of ransomware cyberthreats, which lock up victims’ computer networks and demand payment for the key.
Here are three takeaways from the most disruptive cyberattack to have hit the U.S. energy sector:
Fallout for Biden
The lines at gas stations along the Eastern Seaboard may ease up, but they added to a cavalcade of crises at the White House door that pose an acute political problem for the administration. And they gave Republican critics of Biden’s green energy push a high-profile — if misleading — target.
Republicans cast the situation as a result of Biden’s embrace of clean energy and quick decision to cancel the Keystone XL pipeline, though the situation is unrelated. Keystone XL would have carried unrefined Canadian crude oil to the Gulf Coast. Colonial distributes petroleum products to East Coast markets.
"He’s taking us back to the ’70s," Sen. Tom Cotton (R-Ark.), one of several Republicans who sought to yoke Biden to the crippling gas shortages of the 1970s, said last week. "We’ve got chaos in the Middle East, inflation and lines at the gas pump."
Paul Bledsoe, who served as a climate adviser in the Clinton White House, called the ’70s comparison absurd: "One or two days of panic buying is not a sustained Arab oil embargo; it’s ridiculous."
Bledsoe said the disruption offers the administration ready ammunition for its efforts to invest in upgrading the nation’s crumbling infrastructure. Biden in a speech on the cyberattack last week called it an "urgent reminder" of the need to harden energy systems and called for congressional backing for his $2.3 trillion spending plan.
"They can make a case that upgrading our overall energy infrastructure would help prevent this incident in the future, not the least lessening our dependence on oil," said Bledsoe, a strategic adviser for the Progressive Policy Institute.
Republicans are unlikely to let the comparison go amid rising tension in the Middle East and rising gas prices — over which presidents have little control.
"We got gasoline lines; we got stations that have no gas," House Minority Leader Kevin McCarthy (R-Calif.) said Friday at a news conference. "The gas price has not been this high nationally since the last time Joe Biden was in the White House."
The White House is acutely aware of the political vulnerabilities, laboring last week to alleviate what Energy Secretary Jennifer Granholm called a supply "crunch" by waiving restrictions on truck drivers and the Clean Air Act. It also twice lifted restrictions imposed by the Jones Act to allow the use of foreign-flagged ships to deliver to U.S. ports.
Biden dispatched a bevy of Cabinet officials, including Granholm, Transportation Secretary Pete Buttigieg and Secretary of Homeland Security Alejandro Mayorkas, to answer questions at the daily White House briefing. Granholm and Buttigieg also did a series of interviews with local television stations in some of the hardest-hit states.
Bledsoe said he sees an opportunity for Biden to reach common ground with Republicans by rebuking Russian President Vladmir Putin — whose country apparently hosted the DarkSide hackers behind the attack — and boosting U.S. energy exports to Europe.
Analysts with ClearView Energy Partners LLC noted that the Biden administration in the next few weeks faces two deadlines, including a second round of sanctions against Russia for the poisoning of opposition leader Alexei Navalny.
"We still cannot wholly rule out the prospect of prohibitions on U.S. imports of Russian petroleum," ClearView analysts said.
The State Department is also due this week to submit to Congress an update on the administration’s compliance with laws aimed at protecting European energy security that require sanctions on unspecified companies involved in the construction of a Russian gas pipeline to Europe.
Congressional Republicans have called for the administration to block construction of the nearly completed Nord Stream 2 natural gas pipeline, but Biden has called it "a complicated issue affecting our allies in Europe."
ClearView said the allegations of a Russian connection to the cyberattack "could make it politically harder for the White House to take a light touch" when imposing sanctions on the pipeline in the Baltic.
The cyberattack was only one of several emergencies the White House was grappling with, and Biden urged patience, telling Americans on Thursday to not "panic" and make the situation worse by hoarding gas.
"The president’s view is that this is exactly what he was elected to do: to lead the country during a time of multiple crises," White House press secretary Jen Psaki said Friday, noting that Biden came into office facing a pandemic and fractured economy. "This is why he put together the team he put together, to be prepared in these moments."
Cyber policy pressure
The ransomware attack has put an emphatic "told you so" exclamation point behind demands in Congress for stronger cyberdefenses of critical U.S. energy networks.
On Friday, a week after Colonial closed its pipeline system that spans from Houston to New York, more than a dozen members of the House Homeland Security Committee reintroduced the bipartisan "Pipeline Security Act," which passed the committee two years ago but got no further. The bill and other security measures are scheduled for a markup tomorrow.
According to its backers, the pipeline bill is part of the foundation for a governmentwide strategy that Congress wrote into the 2021 National Defense Authorization Act, enacted by lopsided margins over former President Trump’s veto.
The legislation designates TSA as the lead agency for cybersecurity oversight of energy pipelines and directs it to achieve an effective risk assessment and cyberdefense partnership with CISA.
TSA was given the pipeline responsibility after the 9/11 attacks but, limited by a skeletal staff, has lacked the capacity to do the job, according to critical reviews by the Government Accountability Office. One congressional staff member working on the policy said TSA’s shortcomings were considered a symptom of a governmentwide lack of leadership on cybersecurity oversight rather than a unique problem.
"TSA’s pipeline security team is woefully underresourced," said committee member Rep. Jim Langevin (D-R.I.), co-chair of the House Cybersecurity Caucus. "That is the root problem we’ve been facing in the sector for years, and that has been thrown into stark relief by the Colonial ransomware incident."
The goal of the House initiative, said Langevin, is to "codify the roles and responsibilities of sector risk management agencies, such as TSA, to better hold them accountable for understanding the consequence of cyber incidents targeting their sectors."
The NDAA directs specific agencies across the federal government — including TSA for the pipeline sector — to create measures to assess and prioritize cyber and physical security vulnerabilities, threats and defensive responses.
The legislation also puts a priority on expanding TSA’s staff strength and cybersecurity expertise, keys to its ability to evaluate the defenses of energy pipelines.
In fiscal 2020, TSA expanded its pipeline cybersecurity staffing from six to 34 positions. Within that staff is as 20-member Pipeline Security Assessment Team that has received cyber training at the Idaho National Laboratory and is completing certifications, a TSA spokesperson said.
The fiscal 2021 budget provides $3 million for pipeline cyber assessments, but TSA’s guidelines are voluntary best practices. "TSA cannot require a private company to take action," the spokesperson said.
Federal Energy Regulatory Commission Chairman Richard Glick, a Democrat, said the Colonial attack proves the need for stronger policies to protect natural gas pipelines, which fuel generators supplying 40% of the nation’s electricity.
"It is time to establish mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector," Glick said. "Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors."
That is not the course the bipartisan sponsors of the "Pipeline Security Act" chose to take, opting instead to strengthen TSA and see whether it rises to the challenge, one House committee staff member explained.
A team appointed by the Biden White House is conducting a 100-day review of cyber policy.
Biden has announced his choice of Chris Inglis as national cyber director, a job created by Congress in frustration with the empty chair for that role in the Trump administration, and Jen Easterly as CISA director.
Inglis spent nearly a decade as deputy director of the National Security Agency. Easterly, also an NSA veteran, was on the National Security Council under former President Obama (Energywire, April 13).
The Colonial outage has just expanded their agenda.
Hackers feel the heat
The impact of the Colonial hack appeared to shock even the ransomware attackers behind it.
Last Monday, the DarkSide ransomware gang said in a press release that the "goal is to make money, and not creating problems for society" (Energywire, May 11). Bloomberg reported that Colonial paid the hackers $5 million in digital currency hours after the company discovered the attack.
By Friday, the ransomware gang announced it had lost access to some of its servers, including its payment and leak site, according to cybersecurity firm Intel 471.
Other ransomware groups that, like DarkSide, often rent out their ransomware for a percentage of the extortion profits have also taken note and gone even further underground. A major Russian-language forum for cybercriminals announced that ransomware was banned. The ransomware gang Babuk — recently in the news for extorting the Washington, D.C., police department, as the Associated Press reported — announced it was rebranding and switching to a "private mode of operation." Another ransomware gang claimed to be adopting "rules" such as barring affiliates from targeting government, health care and charity organizations, Intel 417 said.
However, experts warned that the recent moves by DarkSide and other cybercriminals could simply be a branding push to shake off unwanted attention.
"It certainly wouldn’t be the first time we’ve seen a known [ransomware-as-a-service] crew rebrand after a perceived break-up, and this usually happens after negative or unwanted press," said Michael DeBolt, senior vice president of intelligence at Intel 471, in an email.
"It’s very likely attacks will continue as normal, but the operators will be more careful about what they communicate and where," DeBolt said.
Biden warned on Thursday that his administration plans to go after the DarkSide ransomware gang and cybercriminals who extort businesses. He also noted that while there is no indication that the Kremlin was behind the attack, it’s likely the DarkSide operators reside in Russia.
"We have been in direct communications with Moscow about the imperative for responsible countries to take decisive actions against these ransomware networks," Biden said during a news conference Thursday. "We’re also going to pursue a measure to disrupt their ability to operate."
It’s unclear whether DarkSide was taken offline by federal authorities or whether the ransomware gang decided to close shop and lie low.
The National Security Council declined to comment. The U.S. Cyber Command did not respond to a request for comment.
But while DarkSide and other hacking groups change public-facing tactics, it’s unlikely they’ll stop operations anytime soon. Intel 471’s DeBolt noted that in the past year, many ransomware gangs have been focusing less on encrypting files and instead are moving toward strictly blackmail operations from stolen data.
Ransomware continues to be a profitable business, and as most gangs operate from countries where the United States and its allies lack jurisdiction, there are few arrests. Acting CISA Director Brandon Wales said at a recent hearing that the federal government has yet to "crack the code" on defeating ransomware.
The administration has launched several actions aimed at improving U.S. digital defenses: DHS has been holding a series of 60-day "sprints" focusing on cyberthreats including ransomware; DOE and CISA recently announced a 100-day grid security plan; and Biden last week signed an executive order that calls for multiple major changes to federal cybersecurity (Energywire, May 13).
Additionally, the Department of Justice recently announced a ransomware task force focusing on disrupting the activities of the cybercriminals.
While the administration has promised to take a "whole of government" approach to fighting the scourge, it has also warned critical infrastructure owners to strengthen their own hacking defenses.
Granholm has said some in the energy industry have been slow to invest in cyberdefenses, and she urged oil and gas producers to step up their efforts to fend off cyberattacks in a virtual address last week to the Williston Basin Petroleum Conference in Bismarck, N.D.
"Since these pipes are carrying energy to all Americans, there is a particular concern that some don’t have sufficient cyberprotection on their systems," Granholm said Thursday, adding that the administration plans to further address the issue. "Suffice it to say that we all need to harden our defenses against these malevolent actors, whether they are rogue or state-sponsored criminals. The issue is just not going away, and it will and must be part of every single organization’s planning going forward."